US Army supplements passwords with behavioural biometrics

Are behavioural biometrics the next evolutionary step in user authentication?

The U.S. Army Network Enterprise Technology Command (NETCOM) has chosen to deploy Plurilock’s BioTracker continuous passive behavioural biometric authentication solution to strengthen the existing government-mandated Common Access Card (CAC). Behavioural biometrics are often seen as the next evolutionary step in user authentication.

User authentication at the point of access has always been a problem and a weak point for cybersecurity. Despite the frequency of password-related data breaches – and the efforts of the security industry – passwords remain too weak while multi-factor authentication is too complex for universal adoption by users.

It’s clear that single-factor password authentication alone is not enough to maintain security, and needs to be bolstered by additional factors. While security vendors work to develop new and stronger multi-factor forms of authentication to meet this need, business has been reluctant to adopt them. So far, the options available have been limited to tokens – physical or virtual – or physical biometrics; both of which present too many problems to encourage large-scale adoption.

Tokens offer an extra layer of security, but like passwords only authenticate the user (and often just the device) at the time of access; that is, they are point-in-time authenticators. Physical biometrics are directly tied to a user’s physical characteristics – fingerprint, voice, iris pattern, etc. – and can thus authenticate the user and not just the device; but physical biometrics remains point-in-time only. These methods can only verify either the device or the person who logged on – they cannot verify that it is still that person or device continuing the session.

They also suffer from one major drawback – they interfere with the user’s workflow. This is known as ‘user friction’ and often results in users ignoring or bypassing log-on controls; using weak, memorable passwords and avoiding multi-factor authentication wherever possible. All too often, both single and multi-factor authentication is defeated by attackers. Since they are point-in-time authenticators, they only need to be beaten once for an attacker to have continuous access to a network.

To overcome these problems, the concept of behavioral biometrics is emerging as a means of continuously and passively authenticating the user. Rather than relating to a user’s physical characteristics, behavioral biometrics measure operating practices. Tied to a user’s habits rather than biology, they are based on typing speeds and patterns, mouse or touch pad operation, the location, browser, device and time that is usually employed. Properly implemented, this makes user authentication less intrusive, less costly, and continuous – or, as Plurilock calls it, persistent presence.

Behavioural biometrics are made possible using artificial intelligence (AI); or more specifically, the machine-learning aspect of AI. The system monitors a known and authorised user. Within 30 minutes it can compile a user profile based on the user's operating behaviour. From then on, whenever that user connects to the network, his or her behaviour is scanned every few minutes and compared to the stored profile. This monitoring is entirely frictionless, designed to be conducted passively without intruding on, or even being noticed by, the user.

There is a further major advantage to this continuous authentication: incident response. If point-in-time authentication is defeated, an adversary is into the network as an authorised user; and is not necessarily challenged again. An ‘incident’ has already occurred, and defenders need to rely on separate incident response solutions to detect the adversary’s presence.

This is increasingly dependent on network anomaly detection, which itself relies on the employment of rare and expensive threat hunters – the most experienced of security analysts.

Once past the initial authentication, a successful attacker can go undetected for weeks or months, during which time he or she has potential access to corporate secrets and sensitive data.

The new continuous, passive, behavioural biometric authentication offers a solution. Even if an adversary makes a successful initial breach, the attacker will be detected within minutes by the next behaviour scan. The security team can be notified automatically, and the potential for error in interpreting the anomaly will be drastically reduced by the high mathematical probability evaluated by the AI. This will also let the security team know exactly where and when the breach occurred.

The theoretical advantages of continuous passive authentication have now been recognised by the US Army. At the end of last week (17 August, 2017), it was announced that the U.S. Army Network Enterprise Technology Command (NETCOM) will deploy Plurilock's BioTracker continuous authentication cybersecurity software to protect the warfighter against adversarial identity compromise.

Plurilock's "proof-of-presence technology," said CEO Ian Peterson, "ensures outstanding compliance to meet even the most stringent regulatory mandates, and because there are no manual authentication procedures required, it has zero impact on productivity. Users can go about their normal activities with the confidence that Plurilock has them covered.”

While behavioural biometrics are largely untested in wider industry, the US army’s investment in the technology shows high confidence and promise in the evolution from binary point-in-time authentication to continuous probability. The success or failure of this high-profile implementation is likely to have a large impact on the uptake of the technology in other areas of public and private industry.

Kevin Townsend Kevin Townsend has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.